Former Employees a Growing IT Security Threat

NEW YORK, Nov. 10 /PRNewswire/ -- Reprisals from recently departed employees and a lack of adequate security budgets and resources are becoming major concerns for senior IT professionals, according to the 12th annual Ernst & Young Global Information Security Survey.

The survey, which canvassed nearly 1,900 senior executives in more than 60 countries, shows that 75% of respondents are concerned with the possible reprisal from employees who have left their organizations. Furthermore, 42% of respondents are already trying to understand the potential risks related to this issue and 26% are already taking steps to mitigate them.

Paul van Kessel, Global Leader of Ernst & Young's Information Technology Risk and Assurance Services practice, comments, "With the economy still in recession, employees that are made redundant may feel resentful towards their previous employer in a number of ways that may affect the smooth operation of an organization. Increasingly, the employer's IT system has become a common target and data theft is also prevalent. It is paramount that companies undertake a specific risk assessment exercise to identify their potential exposure and put in place appropriate risk-based responses."

Finding adequate budgets still a significant challenge

Allocating adequate budget to information security continues to be a challenge in 2009, with 50% of respondents ranking this as a high or significant challenge -- a notable increase of 17 percentage points over 2008. Despite this level of concern, less than half (40%) of respondents plan to increase their annual investment in information security as a percentage of total expenditures, while 52% plan to maintain the same level of spending.

Van Kessel continues, "Information security today already requires a lot more investment, as organizations race to catch up with an accelerating threat landscape, after a much delayed start. However, information security is not immune to external economic forces and senior IT professionals will need to improve efficiency and effectiveness while keeping spending to a minimum."

Complying with regulations

The survey also reveals that regulatory compliance is a top priority for information security leaders and continues to be an important driver of information security improvements.

When asked how much their companies were spending on compliance efforts, 55% of respondents indicate that regulatory compliance costs account for moderate to significant increases in their overall information security costs. Only five percent of respondents plan on spending less over the next 12 months on regulatory compliance.

Ron Koch, Executive Director with Ernst & Young LLP's Information Technology Risk and Assurance Services practice, says, "Government and industry-led regulations have clearly resulted in organizations adopting a more-structured approach to information security." Koch continues, "Becoming compliant is changing organizations' security procedures and policies for the better. However, companies must now shift their focus from exercising 'point in time' security activities to incorporating information security into a comprehensive, enterprise-wide governance, risk and compliance program where managing and automating these efforts on a cost-effective basis can help drive overall business performance improvement."

Leveraging technology

Due to a heightening occurrence of data breaches, data protection is at the forefront of many information security leaders' minds. Implementing or improving Data Leakage Prevention (DLP) technologies -- the combination of tools and processes for identifying, monitoring and protecting sensitive data or information -- is the second-highest security priority in the coming 12 months. Forty percent of respondents rank this as one of their top three priorities.

One of the most startling findings is how few companies encrypt their laptops. Only 41% of respondents currently encrypt them, with 17% planning to do so in the next year. This is surprising given the number of breaches that have occurred due to loss or theft of laptops, that encryption technology is readily available and affordable and that the impact to users during deployment is relatively low.

Koch concludes, "Improving the overall risk management function is one of the highest priorities for businesses as the levels of internal and external risks they must face continue to increase. Organizations are abandoning old paradigms by taking a holistic approach that integrates information security within the business. It is a more flexible, risk-based approach focused on protecting the organization's critical information. It is also better suited to the connected business model needed to support today's increasingly mobile and global workforce."

The full report is available on request or at www.ey.com.

About the survey

The Ernst & Young 2009 Global Information Security Survey was developed with help from Ernst & Young's assurance and advisory clients in more than 60 countries. The fieldwork was conducted between June and August 2009. The results were primarily collected through interviews held with executives from approximately 1,900 organizations across all major industries.

About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 144,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

For more information, please visit www.ey.com.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

This news release has been issued by Ernst & Young LLP, a member firm of Ernst & Young Global Limited.

SOURCE Ernst & Young

RELATED LINKS
http://www.ey.com